{BruCON} Botnets and Browsers – Brothers in a Ghost Shell

Botnets and Browsers – Brothers in a Ghost Shell

Aditya K Sood

Browsers exploitation is on rise. Botnets in conjunction with Browser Exploit Packs (BEP’s) are becoming the source of incredible malware infections. The exploitation revolves around the manipulation of browser architectures thereby infecting victims at large scale. Malware infection is proliferating day by day. In spite of the new advanced protection features, subverting the infections that happen through browsers and take control of the victim’s machine remains an arduous task. Exploit packs and attack toolkits play a critical role in the success of malware infections. Browser Exploit Packs (BEPs) are based on the basic philosophy of exploiting the extensibility of browsers by utilizing the technology and developing a code which should work in line with the browser classes.

Talk Outline

Browser Malware Taxonomy

Bots & Browsers – Collaborative Design

Bots & Browsers – Exploitation Paradigm

Bots & Browsers – Web Injects / Fakes

Conclusions

The big problem is the theft of funds through online attacks.

Browser Malware Taxonomy

Class A – Browser Malware

Exists in the browser process (user-land)

Class B – Browser Malware

Exploits the browser or extensions/plugins

Class C – Browser Malware

Exploits the underlying browser to gain access to Kernel-land

Infection Model – Malware serving

Exploiting Web Vulnerabilities (XSS/SQLi)

Obfuscated code injected

JavaScript eval() – Evil Machine

Browser DOM calls

Browser loads malicious URL

Vulnerability in browser exploited

Exploit triggers shellcode

Malware binary drop

Parasitic infection occurs

Malware installed and connect back

Browsers –> Botnets :SDK

Custom designed SDK for communications.

SpyEye has an extensive SDK

Design of Plugins

Bot requires separate plugin to communicate with C&C

Botnet sends critical information through GET requests

Why use plugins?

Provides modularity

Updatability

SpyEye APi in action

SpyEye Bot –> Custom Connector Plugin –> Gate.php

The custom connector plugin allows for update bot configuration / executables as well as plugin management and 3rd party executable loading.

Bots & Browsers – Exploitation Paradigm

Ring 3 rootkit

Hooks DLLs in user-land space

Perform injection in web process

Hooks HTTP communication interface

Exploit browsers

Infection (Bots & Plugins)

Man in the Browser

Malware (bot/trojan) having ability to infect browsers

Capable to modify web pages and perform legitimate actions

Invisible to the user

Steal credit card data

Spying on browser sessions

Hard to protect against in the browser itself. Protections need to be at the server-side. SSL won’t help as the attacker is already in the browser itself.

User-Agent Fingerprinting used to detect the browser exploits to use. UA string provides a great deal of information for an attacker to fingerprint the correct attack vectors. Detection code used by malware writers is often very generic. Entries for everything from Win95 and greater.

Browser Exploits Packs and Bots

Used in conjunction with botnets

On successful exploitation, bot is dropped into victim machine

Harnesses the power of two different frameworks to deliver malware

Same traces have been seen of ZEUS (botnet) + Blackhole (BEP)

Browser – Screen Scrapers

Capture screenshots from a victim during banking transactions

Possible to capture whole system screenshots, not just the browser

Provides additional support for bots for data exfiltration

Exploit system level functions

Automatically start capture once a victim connects to a banking website. Private browsing doesn’t help this…

Browser Form Grabbing

Keylogging produces too much data

Form grabbing extracts from GET/POST

Based on the concept of hooking and DLL Injection

Virtual Keyboards

Implements the form grabbing in the POST request to avoid issues

No real protection against malware

All botnets use this technique, and all browsers can be circumvented to execute non-legitimate hooks. Hard to overcome.

Credit Card Grabber – Verification

Why credit card number stealing is a success!

Botnets are always successful in extracting credentials from POSt requests

CC Verification – The credit-card number is verified against the LUHN’s algorithm prior to sending to the botnet database

Trash is dropped

Doing the same checks that the banks make!

Bots & Browsers – Web Injects / Fakes

Web Injects – Infection on the fly

Injecting incoming request with malicious content

Web Page is tampered which looks legitimate

Primary aim to inject credential stealing forms and input tags

Similar concept is sued into injection pointers to remote malware sites

Being in the browser you can customise the WebInjects to match any website required. Customisable and complex rules on what to capture from GET/POST requests. Extraction of sections of the request only.

Web Fakes

Plugins are used to spoof content to the browser

Supports both protocols (HTTP/HTTPS)

Based on the concept of internal URL redirections

All browsers are affected

User requests their banking website. Using tricks like CSS injection, it returns fake versions of the site to gather the required data. Lists of which site to fake and which to leave are configured in the botnet.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!